openssh 3.9-1 + chroot - was Re: [WBEL-users] How to uninstall an
rpm package which has dependencies?
bishop
bishop@platypus.bc.ca
Sat, 13 Nov 2004 01:15:55 -0800
Jean,
Do you do the setup on the sftp-server shell? I thought that one does
it on the user's homedir:
moduser -d /home/bishop/./
No?
If 'path-to-chroot' is, for example, /var/chroot/, then did you mkdir -p
/var/chroot/usr/kerberos/lib and cp -a /usr/kerberos/lib/{some,libs} to
/var/chroot/usr/kerberos/lib ? I think that is what you have to do.
Unfortunately, I don't have any experience with that software; I just
know how to package it. :-) Like I said, I use scponly(.sf.net) for my
login shells, and it provides just enough security.
- bish
Jean Lee wrote:
> Hi bishop,
>
> OK I tried your rpms. The installation is OK and I succeed to create a
> jail which works for ssh.
> I follow the manual which is available here :
>
> http://www.netadmintools.com/art294.html
>
> The problem is that it doesn't work with sftp-server.
>
>
> During the creation of the chroot environnement, I made a copy of
> /usr/libexec/openssh/sftp-server to
> "path-to-chroot"/./usr/libexec/openssh/sftp-server
> then :
> cd "path-to-chroot"/./usr/libexec/openssh/
> ldd sftp-server
>
> The output gives some libraries which I copied into the correct folders.
>
> When I tried : sftp jean@ServeurLinux
> I am asked for a password and then I have an error saying me that a
> library related to kerberos is not found.
> I verified and this library is at the place which is telled by ldd (+the
> "path-to-chroot")......
>
> It is related to this kerberos library because I tried to supress
> libz.so.1 (which is also needed by sftp-server) and the error message
> was then that it didn't find libz.so.1. I suppose so than when this
> library is well placed, sftp-server can find it.
>
> Do you have any idea why sftp-server doesn't find this kerberos library ?
>
> Thank you for your support.
>
> Jean
>
> bishop wrote:
>
>>
>> Hey Jean,
>>
>> The SRPM (Source RPM) contains the necessary code to build RPMs. It's
>> really just a cpio of the tar.gz, some diffs and a build script (.spec).
>>
>> Building the RPMs is done with
>> rpm -i openssh.src.rpm
>> rpmbuild -ba openssh.spec
>>
>> Here's the current patch for the spec file to integrate the chroot diff:
>>
>>> --- /home/bishop/RPM/SPECS/openssh.spec~ 2004-11-09
>>> 03:35:49.000000000 -0800
>>> +++ /home/bishop/RPM/SPECS/openssh.spec 2004-11-09 10:15:59.000000000
>>> -0800
>>> @@ -86,7 +86,7 @@
>>> %if %{rescue}
>>> Release: %{rel}rescue
>>> %else
>>> -Release: %{rel}
>>> +Release: %{rel}%{?_with_chroot:chroot}
>>> %endif
>>> URL: http://www.openssh.com/portable.html
>>> Source0:
>>> ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
>>>
>>> @@ -98,6 +98,7 @@
>>> Patch4: openssh-3.9p1-skip-initial.patch
>>> Patch11:
>>> http://www.sxw.org.uk/computing/patches/openssh-3.6.1p2-gssapi-20030430.diff
>>>
>>> Patch12: openssh-selinux.patch
>>> +Patch15:
>>> http://chrootssh.sourceforge.net/download/osshChroot-3.6.1.diff
>>> License: BSD
>>> Group: Applications/Internet
>>> BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot
>>> @@ -150,6 +150,7 @@
>>> %if ! %{build6x}
>>> Requires: /etc/pam.d/system-auth
>>> %endif
>>> +%{?_with_chroot:Provides: ssh-server-chroot}
>>>
>>> %package askpass
>>> Summary: A passphrase dialog for OpenSSH and X.
>>> @@ -226,6 +227,10 @@
>>> %patch12 -p1 -b .selinux
>>> %endif
>>>
>>> +%if %{?_with_chroot:1}%{?!_with_chroot:0}%{?commentish:These
>>> constructs suck}
>>> +%patch15 -p1 -b .chroot
>>> +%endif
>>> +
>>> %build
>>> CFLAGS="$RPM_OPT_FLAGS"; export CFLAGS
>>> %if %{rescue}
>>
>>
>>
>> (yes, I hate line 89 too)
>>
>> Okay, I'm in my meeting now, so I can't test/examine the RPMs at all,
>> but if you want to test something, grab these:
>>
>>> Wrote:
>>> /home/bishop/public_html/apt/i386/wb30/SRPMS.extras/openssh-3.9p1-1chroot.src.rpm
>>>
>>> Wrote:
>>> /home/bishop/public_html/apt/i386/wb30/RPMS.extras/openssh-3.9p1-1chroot.i386.rpm
>>>
>>> Wrote:
>>> /home/bishop/public_html/apt/i386/wb30/RPMS.extras/openssh-clients-3.9p1-1chroot.i386.rpm
>>>
>>> Wrote:
>>> /home/bishop/public_html/apt/i386/wb30/RPMS.extras/openssh-server-3.9p1-1chroot.i386.rpm
>>>
>>> Wrote:
>>> /home/bishop/public_html/apt/i386/wb30/RPMS.extras/openssh-askpass-3.9p1-1chroot.i386.rpm
>>>
>>> Wrote:
>>> /home/bishop/public_html/apt/i386/wb30/RPMS.extras/openssh-askpass-gnome-3.9p1-1chroot.i386.rpm
>>>
>>
>>
>>
>> They may work. I have them here (but get the right ones!) :
>>
>> http://apt.platypus.bc.ca/~bis hop/apt/i386/wb30/RPMS.extras/
>> http://apt.platypus.bc.ca/~bis hop/apt/i386/wb30/SRPMS.extras/
>>
>> I'll examine the RPM later today, as I mentioned.
>>
>> To examine all the changes I've made to the SRPMS:
>> install one SRPM
>> move the dirname away (`mv RPM{,1}`)
>> install the other SRPM
>> compare them:
>> diff -uNr --exclude-from=openssh3.*gz RPM{1,}
>>
>> I can send these diffs to you if you are interested.
>>
>> - bish
>>
>> Jean Lee wrote:
>>
>>> Well, I really made something wrong.
>>>
>>> I was on the openssh website and didn't find the tar.gz files for
>>> openssh-client, openssh-server, openssh-askpass and
>>> openssh-askpass-gnome. :) sorry, I'm a newbie.
>>> Bishop, how did you do to produce these files ? Is it something with
>>> this srpms file?
>>> If the rpm files are produced by the srpms one. How can I apply a
>>> patch to the tar.gz file and then create the srpms file from this
>>> patched tar.gz file and then finally obtain my rpm files?
>>>
>>> What do I have installed (Installation explained in my previous mail)?
>>>
>>> Thank you for your answers because I think that I'm a bit lost.
>>>
>>> Jean
>>>
>>> Jean Lee wrote:
>>>
>>>> Thank to all of you for your great help.
>>>> This mail is just to give a back and keep a trace,
>>>>
>>>> I have created an rpm of the patched openssh
>>>> (openssh-3.9p1-chroot.tar.gz) with the checkinstall binary. I called
>>>> it openssh-3.9p1-1.i386.rpm and checkinstall automatically installed
>>>> it.
>>>> I didn't do a 'yum remove openssh-3.6.1p2' because I didn't want to
>>>> brake some dependencies.
>>>>
>>>> When I type 'rpm -q openssh', I have a good return : openssh-3.9p1-1
>>>> but if I try to erase it 'rpm -e openssh', I have the following
>>>> return :
>>>>
>>>> error: Failed dependencies :
>>>> openssh = 3.6.1p2-33.30.1 is needed by (installed)
>>>> openssh-askpass-3.6.1p2-33.30.1
>>>> openssh = 3.6.1p2-33.30.1 is needed by (installed)
>>>> openssh-askpass-gnome-3.6.1p2-33.30.1
>>>> openssh = 3.6.1p2-33.30.1 is needed by (installed)
>>>> openssh-client-3.6.1p2-33.30.1
>>>> openssh = 3.6.1p2-33.30.1 is needed by (installed)
>>>> openssh-server-3.6.1p2-33.30.1
>>>>
>>>> Another thing : If I type 'whereis sshd', the return is :
>>>> /usr/sbin/sshd and /usr/local/sbin/sshd .
>>>> It doesn't seem to be very good..
>>>>
>>>> I will try now to upgrade these 4 tools with standard openssh-3.9p1
>>>> and see what will come.....
>>>>
>>>> Jean
>>>>
>>>> Randy Kelsoe wrote:
>>>>
>>>>> Jean Lee wrote:
>>>>>
>>>>>> Hello all,
>>>>>>
>>>>>> I think that what I want is not so hard but I really don't know
>>>>>> how to do it.
>>>>>>
>>>>>> My problem is that I want to unintsall openssh-3.6.1p2 which is
>>>>>> installed as an rpm package and then install openssh-3.9p1-chroot
>>>>>> which is a tarball (it is a patched version of Openssh-3.9p1 with
>>>>>> added chroot functionnality).
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> As I suggested in a previous thread of yours, get the checkinstall
>>>>> package and install it. Then you can untar the openssh-3.9p1-chroot
>>>>> package, do your './configure', then 'make' and then instead of
>>>>> doing your normal 'make install', run 'checkinstall' which will
>>>>> create and install an RPM package for you. That way, if you have
>>>>> problems with the new package, you can remove it with the 'rpm -e'
>>>>> command. When you need to upgrade the package, it will be a lot
>>>>> easier to let rpm do the upgrade and keep track of the files.
>>>>>
>>>>>>
>>>>>> Well, I tried first to uninstall openssh-3.6.1p2 with :
>>>>>> rpm -e openssh
>>>>>> and this command failed due to dependencies to other packages :
>>>>>> openssh-server, openssh-client, netdump and a few others related
>>>>>> to openssh...
>>>>>>
>>>>>> I'm sure that I am doing something wrong. Perhaps that I can
>>>>>> firstly uninstall the packages related to openssh but the one with
>>>>>> netdump is probably not recommended.. Moreover, I tried to
>>>>>> uninstall openssh-server and it failed due to a dependency to
>>>>>> netdump-server.
>>>>>>
>>>>>> What is the right way? Do I have really to uninstall every package
>>>>>> which has a dependency before uninstalling openssh or is there
>>>>>> another way which ensure that nothing will be broken?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> In your case, I would recommend trying the checkinstall method
>>>>> above first. If you really want to get rid of the dependencies, you
>>>>> can rpm -e more than one package at a time:
>>>>>
>>>>> rpm -e openssh openssh-server openssh-client netdump
>>>>>
>>>>> yum is also handy for this:
>>>>>
>>>>> yum remove packagename
>>>>>
>>>>>
>>>>>>
>>>>>> Thanks for any help,
>>>>>>
>>>>>> Jean
>>>>>
>>>>>
>>
>>
>
> _______________________________________________
> Whitebox-users mailing list
> Whitebox-users@beau.org
> http://beau.org/mailman/listinfo/whitebox-users
--
To announce that there must be no criticism of the President, or
that we are to stand by the President, right or wrong, is not
only unpatriotic and servile, but is morally treasonable to the
American public. - Teddy Rooseveldt, 1918